| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
| Cc: | Swanand Kshirsagar <swanandon(at)gmail(dot)com>, "pgsql-admin(at)lists(dot)postgresql(dot)org" <pgsql-admin(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Restrict permissions on schema to hide pl/pgsql code |
| Date: | 2019-07-24 17:15:39 |
| Message-ID: | 30893.1563988539@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
"David G. Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> writes:
> You can consider this email to have accomplished both. Lacking someone
> saying they they are working on it and pointing you to a patch you can
> safely operate under the assumption that this behavior isn’t going to
> change.
It isn't. We've considered complaints like this before and determined
that we're not going to do anything about it. For better or worse, the
PG catalogs are readable by any authorized user, with only narrow
exceptions (like password columns).
A sufficiently determined person could perhaps do something like creating
their own PL that stores encrypted function source text in pg_proc, and
just hands it off to an existing PL after decryption. I'm not exactly
sure where you'd keep the decryption key though.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | richard coleman | 2019-07-24 17:44:50 | Re: Restrict permissions on schema to hide pl/pgsql code |
| Previous Message | Stephen Frost | 2019-07-24 17:15:10 | Re: Restrict permissions on schema to hide pl/pgsql code |